Pages

Monday, January 31, 2011

For the last year or so we have been discussing CFATS inspections of facilities that have submitted their Site Security Plans (SSP). What has not been made real clear to many people (and I have been guilty of this myself) is that for the most part these inspections have not been the Authorization inspections described in the CFATS regulations. These are an additional set of inspections that ISCD has found necessary to implement because SSP submissions have not provided enough information for the review process at Headquarters to determine the adequacy of security measures.

The best description of this new Pre-Authorization Inspection (PAI) process that I have seen can be found in a white paper available through ChemicalProcessing.com. ADT has prepared this white paper; CFATS: Surviving the Site Security Plan. It is well worth reading as it addresses both the PAI and the strategy to avoid having to have the Chemical Facility Security Inspectors make the additional trip to your facility.

It’s a new year and it seems like CFATS webinars are popping up all over the place, like daffodils in an early spring. Last week I received an email inviting me to register for one put on by ChemicalProcessing.com. The webinar is scheduled for March 17th at 1:00 EST. The three presenters are all well known in the industry and have been mentioned a number of times in this blog, two of them as CFATS bloggers (Ryan Loughin and Steve Roberts) and the other as a source of information on Congress (William Allmond). Any one of these on the bill for a webinar would ensure that it would be worthwhile.

• Roberts “will discuss the interaction with DHS Inspectors; Corporate and Site Preparation for CFATS Authorization Visits; and the differences between CFATS Pre-Authorization Inspections and CFATS Authorization Inspections”; and

Sunday, January 30, 2011

I did a brief blog posting last week mentioning that Sen. Reid (D,NV) introduced the first cybersecurity bill of the 112th Congress; S 21, the Cyber Security and American Cyber Competitiveness Act of 2011. I also mentioned that it looked to be promising because both Sen. Rockefeller (D,WV) and Sen. Lieberman (I,CT) were cosponsors. I had hoped that it would actually be a combination of their separate bills from the last session. I’m sorry that I got anyone’s hopes up.

The GPO finally has a version of S 21IS available on-line and I can see why it took so long to get it printed, the folks at the GPO could not stop laughing. Sen. Reid, et al, have produced one of the most useless, do nothing pieces of legislation that I have ever seen. Congressional resolutions honoring ping-pong champions at Division V colleges have more of an effect than does this legislation.

The Congressional Findings section provides a very generic list of the cyber security problems facing cyber information systems; nary a mention of control system security. There are five separate findings listed. I’ll only waste your time a little bit by posting just the first; §2(1):

“Malicious state, terrorist, and criminal actors exploiting vulnerabilities in information and communications networks and gaps in cyber security pose one of the most serious and rapidly growing threats to both the national security and economy of the United States.”

The ‘Sense of Congress’ section of the bill is where one would expect to find the action items, and it is there. Sen. Reid, et al, suggest “that Congress should enact, and the President should sign, bipartisan legislation to secure the United States against cyber attack, to enhance American competitiveness and create jobs in the information technology industry, and to protect the identities and sensitive information of American citizens and businesses”.

And what should that ground breaking legislation do? Not this bill but the bill that this bill would encourage Congress to pass. Well the Non-sense of Congress provides 10 suggested areas that the bill should address. Again I will only thrill you with the first objective {§3(1)}:

“(E)nhancing the security and resiliency of United States Government communications and information networks against cyber attack by nation states, terrorists, and cyber criminals;”

I’m glad to see Sen. Reid, et al, taking such forthright action on such a critical issue. Oh, I’m sorry, I jumped the gun. This bill only encourages Congress to enact such ground breaking legislation. I suppose it could be worse; we could see a bill next week encouraging members of Congress to pass S 21.

Friday, January 28, 2011

Readers who follow me on TWITTER (PJCoyle) probably noted a retweet that I made yesterday about an incident at Dugway Proving Grounds, UT the night before. There was no information available in the earlier tweet other than a report that the facility was in ‘lock-down’. I have since tracked down some news reports (SLTrib.com and HomelandSecurityNewsWire.com) about the incident. It seems that the facility lock-down was conducted to allow for a search for a missing vile of VX Nerve Agent.

It turns out that it never left secure storage; it had simply been placed in the wrong container and was improperly marked. That’s the good news. The investigation into the how and why of the incident is on-going. Readers who have been trained in chemical warfare operations know how serious a missing vile of this stuff would have been if it had actually left Dugway.

Many researchers were upset when DHS set a 100-g screening threshold quantity for various chemical weapons. This STQ was probably responsible for a handful of University or pharmaceutical research labs having to submit Top Screens. I would suspect that DHS ended up classifying as high-risk any of these labs that did not decide to destroy their inventories to avoid CFATS coverage.

Those of us who spent hours practicing donning chemical warfare gear in very short time limits and were schooled in the wonders of the atropine auto-injector pen will be very happy to know that people are taking seriously the security of even the smallest quantities of these agents. The response of the folks at Dugway is a good example of how seriously the military takes that security. I hope the final investigation shows that this was just an honest mistake. We certainly don’t want to hear that criminals or terrorists were in anyway connected with this incident.

Attending security shows, conventions or conferences is a common method for people in the security field to keep up to date on new products and participate in discussions on new developments in the security field, or gain access to new information about the threats that they may face. Unfortunately, even in the best of economic times, many organizations find the cost of such events, including the related travel costs, to be a limiting factor in allowing their security planning people to attend.

The folks at SecProdOnLine.com appear to have come up with a potential solution to the high-cost of attending such events. They are hosting a virtual security show on March 8th. They are advertising this on-line event as having no “travel, no conference fees and no time away from work”.

They note that in addition to the typical presentations that one would expect at such security shows there will be a virtual exhibit hall, allowing attendees to: “Chat in real time with exhibitors and preview the latest products and solutions in our virtual exhibit hall. You’ll have access to free content downloads, presentations-to-go and more.”

Another valuable part of attending industry shows is the chance to meet other people in the field. I know that some of the chemical shows that I attended, the high-light of the show was the chance to put a face to a voice that I had dealt with over the phone. The organizers of this show are advertising that there will be opportunities to connect “with your colleagues and develop new relationships with other like-minded professionals in your field”

This show will have a CFATS update session. I am not familiar with the two presenters who are involved in this session, but that doesn’t necessarily mean much. My contact with other security professionals is typically limited to reading their publications or communicating with them electronically when they respond to my blog. There are lots of hardworking people in this field that never publish or respond to bloggers. I am surprised however that they are not including someone from ISCD in this presentation. What ever problems that ISCD has had implementing the CFATS program, they have never been reticent about sharing what they know with industry groups.

Needless to say one can register for this event on-line. It will be interesting to see how well this virtual event actually works. I have already registered, after-all you can’t beat the price.

Thursday, January 27, 2011

There was an interesting, yet way too brief entry at RegInfo.gov about a DOJ/OJB submission on Wednesday to the Office of Management and Budget of an Interim Final Rule entitled “International Terrorism Victim Expense Reimbursement Program”. This program was not listed in the Unified Regulatory Agenda so there is nothing telling up about what this entails.

It will be interesting to see how this rule, when it finally makes it to the public comment portion of the rule making progress (2 months to 6 months from now?). Will it be limited to just attacks outside of the United States or will it include foreign terrorist attacks within the US? If it includes stateside attacks, will the reimbursements be voided if the gun-toters are US Citizens with the planners being international terrorists?

Many people have expressed concern over the last six months or so about the lack of detailed information on the Stuxnet worm coming out of ICS-CERT. The discussion of Stuxnet in this document will hardly improve their image with regard to Stuxnet. In fact the authors of this review will have actually aggravated the problem by stating in the ‘Lessons Learned’ section that: “Timely information sharing of threats and analysis is of chief importance in empowering and protecting public and private sector partners.” Hopefully ICS-CERT has learned this lesson.

Actually, the most valuable information on Stuxnet in this publication is found in the “Stuxnet Specific Resources” section found on the last page. Interestingly, ICS-CERT provides the Symantec “W32Stuxnet Dossier” the primary ranking (by listing it first) as source of information above the two ICS-CERT documents that have been criticized by many control system security experts as being very weak sources of information.

Fly-Away Teams

The year in review looks at the establishment of fly-away teams to assist asset owners in responding to actual cyber security incidents. Beyond the basic discussion of these teams, the ‘Lessons Learned’ section deserves special attention by the control system community.

• Many asset owners reported that they were not aware of the resources available to keep them informed of current threat information or vulnerabilities to ICS.

• A common understanding of the potential impacts of cyber vulnerabilities (loss or degradation of process control, loss of sensitive information, etc.) does not exist across all CIKR sectors.

• Asset owners need to employ consistent management of privileges on their networks – who has which privileges and on which part of the network they apply for each individual.

• Forensics analysis is enhanced when the organization has established a baseline dataset for network configuration and typical traffic; this allows for more effective identification of intrusions.

I really do recommend that anyone with an interest in control system security read this document. It does provide some brief yet interesting discussions and the various ‘lessons learned’ listings provide some very concise, yet appropriate pieces of information about cybersecurity for control systems. It won’t directly make your security program any better, but it will provide a good list of talking/thinking points.

Tuesday was the first day for legislation to be introduced in the Senate for the 112th Congress and 187 bills were introduced. This produces the typical backlog for the printing process, but based on the basic information available on Thomas.LOC.gov there were only two bills that might be of interest to the chemical security community; S 21 and S 158. The later is a reauthorization of the Surface Transportation Board (STB) and may contain provisions on rail shipments of TIH chemicals. The former may be the cybersecurity jackpot legislation for this session.

Interestingly this bill was introduced by Sen. Reid (D, NV); that would make the bill important enough. More important though is the fact that both Sen. Rockefeller (D, WV) and Lieberman (I, CT) are co-sponsors of the bill. They had competing versions of cybersecurity legislation last session and the participation of these three important Senators (and five other senior Democrats) probably indicate that this is a compromise version of the various bills from the last session.

The title of the bill is currently an unwieldy description of its general intent: “A bill to secure the United States against cyber attack, to enhance American competitiveness and create jobs in the information technology industry, and to protect the identities and sensitive information of American citizens and businesses”. No way to tell if it addresses control system security, but I would suspect that there will be provisions that will have some affect on the chemical security community.

The follow-up advisory outlines additional information that ICS-CERT received about the potential effects of the testing. They note that the FAA told them that the area potentially affected by the GPS testing decreased with altitude with only a 20-mile radius being affected at sea-level. Since the center of the testing area is off the coast of Georgia for the only test still in progress, there is no forecast effect on ground based control systems. The advisory also updates the information on the timing of the tests to indicate that the current testing in the area off the coast of Georgia will continue until February 11th with a second round of tests to be held during the period of February 15th thru the 22nd.

The alert provides more details on the types of ICS that could have been affected if the tests had been done in an area nearer to a potentially affected facility. The advisory notes:

“GPS is widely used in control system environments, particularly as a timing reference signal for cellular based remote terminal units (RTUs), for intelligent electronic devices (IEDs) [NOTE: That acronym is going to cause some confusion in DHS.] used in the energy sector, and for position detection in railroad positive train control (PTC) applications.”

ICS-CERT notes that, in the short term, there is little that facilities that rely on GPS timing signals in the operation of their ICS can do to mitigate this vulnerability. Yes, this is really about an inherent vulnerability to jamming operations that these systems have. In the longer term ICS-CERT recommends that:

“ICS owners and operators of control systems that are reliant on GPS timing signals (i.e., cellular RTUs, IEDs) should consider including integrated backup timing systems to accommodate the temporary loss of GPS due to interference or actual failure.”

NOTE: This is the same advice that Bert provided in his comment to yesterday’s posting on the initial alert.

Signal Spoofing

During my time in the military I spent a lot of time using tactical radios. After I was a victim of an apparent Soviet (or maybe East German) attempt to spoof a command to move my location during a tactical exercise near the inter-German border I got some additional training on radio communications spoofing, or the sending of radio signals to simulate legitimate communications with the intent to cause operational confusion.

Facilities using GPS signals for control system operations would appear to be potentially vulnerable to spoofing of those signals. Depending on the exact use of those GPS timing signals, a local radio transmitter spoofing the timing signals could cause disruption of process operations.

This is potentially a more problem than jamming. When jamming is detected, or a signal is lost, it is relatively easy to implement back up procedures (if they exist). When a signal is spoofed, the system would attempt to continue routine operations, but would be relying on corrupted timing data. This could result in all sorts of problems with mis-timed ICS operations.

It would seem to me that this apparent vulnerability could be dealt with by including a signals analysis check into the timing signals processing. If there were a sudden change in the timing-signal strength, that check would verify the time-hack against the most recent one received before the change. If there were an elapsed time discrepancy, then the signals analysis system would change the ICS to using the back-up timing system. This might be more difficult to implement in the remote terminal units.

Earlier this week I did a short blog post about the Chemical Safety Board’s report on the deadly Bayer CropScience process explosion [which is no longer available on the CSB site]. The lengthy report has a wealth of information that should be read by chemical safety personnel. While this is a chemical safety report, there is also a very valuable section of potential interest to security professionals dealing with the design of the blast protection provided to the above-ground methyl isocyanate (MIC) day tank.

Reading Appendix C to this report, I was impressed with the efforts that the facility designers took to protect that day tank from the potential effects of an explosion or fire in the vicinity of the tank. I have been a frequent critic of the response of Bayer CropScience management to this incident, but there is no doubt that the people designing the facility understood the potential risks associated with MIC and made an honest and expensive effort to reduce the risks associated with that material and mitigate potential releases.

The only real shortcoming, in hind sight, was that the blast protection design only looked at accidental fires and explosions; it didn’t consider potential attacks on the system. High-risk chemical facilities (which technically the CropScience facility isn’t since it is an MTSA covered facility [in West Virginia?]) need to reconsider the safety designs at their facility in light of the potential risks of terrorist attack.

For example, when considering blast protection requirements one would have to consider if the tank (or whatever critical process element) is positioned in such a way to make it vulnerable to potential vehicle-borne improvised explosive devices. If it is so exposed, the design basis for the blast protection needs to account for that sized potential explosion.

In any case, anyone that is responsible for safety or security at a facility containing large containers of toxic inhalation hazard (TIH) chemicals should read Appendix C to the Bayer CropScience report by CSB.

Tuesday, January 25, 2011

Earlier today Brad Calbick left a comment on today’s earlier blog about the ICS-CERT Alert on the GPS outage. While generally supportive of my comments about the late reporting, he took objection to my negative comments on using the GPS for critical system support; writing: “What is your proposed alternative to utilizing GPS for critical systems? I'm not aware of a solution that improves on the reliability and cost of GPS.”

I must admit that I don’t have an alternative, particularly since I don’t really understand what the GPS timing signal is used for. I would guess that it is used in synchronizing operations separated by enough distance that transmission time lag can cause problems. I am not a systems engineer so any thoughts that I would have on a substitute would be suspect at best.

GPS is a Military System

What I do know is politics and government. The GPS system was designed for and by the US Military for their use. A number of entities have complained over the years about the DOD control of the system, but since DOD paid for the system it is theirs to operate as they please.

I remember when civilian GPS devices were first introduced. Most people focused on the military’s initial refusal to allow civilian users full access to the system, access that would have allowed for more accurate position data. What most people failed to notice, or certainly remember, was that the military made a point of telling everyone that they would not guarantee future access to the signals.

The problem with ICS vendors using a pirated (I know, you can’t really consider receiving a broadcast signal as pirating) GPS signal for their own purposes is that they are using the signal without the military’s knowledge or ‘approval’. Thus, when the military plays with the signal for their purposes there is no mechanism (or reason) for the military to inform the ICS users.

Now, obviously the FAA has an agreement with DOD about their use of the GPS signals (almost certainly an memorandum of understanding). That agreement required DOD to provide the FAA with advance notice, and the FAA forwarded that advance notice to their GPS system users.

Protecting ICS use of GPS

If the ICS community is widely using the GPS signal for control purposes (and I don’t know how wide spread the use is) then someone is going to have to ensure that the military informs that community in advance of any modifications to the signal. I suppose that individual vendors could try to negotiate that agreement, but I doubt that that would be the most successful way of dealing with the situation.

I would suggest that DHS ICS-CERT would be the logical government organization to negotiate an MOU requiring advance notification of GPS signal modifications on behalf of the ICS community. Just like the FAA did in these two situations, ICS-CERT would then notify the community of the modifications so that facilities could take appropriate actions to protect their systems that use that signal.

Of course that brings up another problem, ICS-CERT is a passive communicator. They post information on their web site, but have no mechanism to point people to the new information. There are a few people like my self that actively monitor the ICS-CERT web site and then broadcast that information on blogs and tweets.

While that is more active than what ICS-CERT does with its information, it still doesn’t ensure that the information gets out to all affected parties. Someone is going to have to develop a communications system for these alerts that pushes the information far enough down the communication’s tree that everyone who needs the information will get it. At the same time the system would have to be careful about not blasting information out to people that don’t need it.

Again, I am not an engineer (a communications engineer in this case) so I can’t begin to describe how such a system might work. My part of the puzzle is to identify the problems and prod people into taking care of them.

Congressional organization is proceeding to the point where we can start looking for Congressional hearings to start in earnest. Two House committees of interest to the chemical security community will be meeting on Wednesday to hold their organizational meetings; the Homeland Security Committee and the Transportation and Infrastructure Committee. The Energy and Commerce Committee had their organizational meeting last week and are actual starting regular hearings this week.

This morning the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an alert regarding an FAA notice about planned temporary outages of the Global Positioning System (GPS) due to DOD testing. “ICS-CERT is issuing this alert to Industrial control systems (ICS) owners and operators using GPS for timing reference or positioning data to alert them regarding possible intermittent GPS service during the testing.”

DOD tests will take place near Porterville, CA (January 16th through January 23, 2011. Affected Frequencies: M1575.42 and 1227.60) and Brunswick, GA (January 20 through February 11, 2011; February 15 through February 22, 2011.Affected Frequencies: not identified). Since both of these tests have been underway this is not a very timely notice. The alert indicates that the undescribed tests will last for 45 minutes followed by 15 minutes of ‘off time’.

Folks have to remember that the GPS system is a military system designed for DOD use, not civilian use. Why potentially critical systems were designed to use a GPS signal is completely beyond me.

Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an advisory for a buffer overflow vulnerability identified in the AGG Software OPC SCADA Viewer Software. The vulnerability could allow arbitrary code application by an attacker with moderate skill levels and physical access to a local machine. No publicly available exploit has been seen.

AGG Software does have a patch available and a newer version {1.5.2(Build 110)} without the vulnerability is also available. ICS-CERT reminds users not to open configuration files from untrusted sources.

Monday, January 24, 2011

The attentive reader might remember a post I did at the end of last month about an on-line training program about the Suspicious Activity Reporting program. Shortly after that post, I was contacted by James Cavanagh, the head of LEAPS.TV (the outfit that prepared that training program), thanking me for the positive review.

In the ensuing discussion he asked me if I would be interested in working on a project. His organization does these on-line training programs for law enforcement and emergency management personnel. He had received some requests for training on CFATS for law enforcement personnel and he thought that I might be able to provide some input on the subject.

It’s been an interesting project and I’ve had some interesting conversations with some law enforcement types about their perspective on chemical facility security. As one would expect, they have a slightly different look at the subject and it has been very educational for me.

In any case, Jim just sent me the link to the advance notice for this webinar. It will be free and it will remain on the LEAPS.TV site for future viewing for a relatively short time (four weeks, I think). After that I’ll see about getting it posted somewhere else. It is being designed to give law enforcement personnel a brief overview of the CFATS program and how that program might affect them if they have a covered facility in their community.

Any CFATS covered facility might want to recommend this to their local police department. It is free and LEAPS.TV has an arrangement so that they can award continuing education credits for participants.

If there is enough interest in the program we might be able to provide additional instructional material to provide more detailed information about what local law enforcement needs to know about chemical facility security.

I have been contacted, again anonymously, by another chemical facility security inspector with concerns about how inspectors have been treated. I won’t go into the new issues that have been raised right now as I want to address an important question that was posed to me that I believe deserves a public answer.

Insider2 asked: “How anonymous can one expect to be when contacting you, as there are many people familiar with this program who have been treated unfairly with the way these issues have affected them and their families and all of them fear retaliation?”

The simple answer is that I have no intention of disclosing the identities of anyone that requests anonymity when providing me with information. There are some caveats to that. First if you tell me that you committed a felony or other serious crime, I’m sorry, my moral code demands that I inform the appropriate authorities.

Second, I am a blogger and various jurisdictions do not consider that to be a journalist, thus shield laws may not apply. Since I have a wife, five dogs and two birds that depend upon me, I cannot afford to spend an extended amount of time in jail on a contempt of court/congress charge. Remember the only money I’m receiving for this blog is a rare contribution from my readers.

Third, if someone becomes convinced that my blog is a threat to national security, I may not know that my computer records have become compromised. I don’t think that that is likely any more than I think I’ll be hauled into court to be told to disclose my sources. But if one is paranoid (legitimately or otherwise), you have to take these things into account.

Now, having said all of that, there are a couple of fairly simple techniques to prevent me from being able to disclose your identity. The easiest is to post a comment to the blog from a computer that is not easily traced to you and make your post anonymously. I would prefer that you use a nom de guerre instead of “Anonymous”, but if your job is potentially on the line I can certainly understand why you might want to join those particular ranks. I have no way of tracing back the identity of those comment posters (though GOOGLE certainly may) so I can’t disclose any identifying information.

NOTE: DO NOT INCLUDE CVI in any comment posted to my blog. I will not allow it to go public.

The next best way would be to contact me by email using a free email address (AOL, YAHOO, GOOGLE, HOTMAIL, etc) that isn’t directly traceable to you (don’t use your name…). Again, I would have no way of knowing who you are, though government investigators may.

The most secure way to contact me if you are really worried about this is to do it through a legally protected intermediary like a lawyer, clergy member and in some cases a labor organizer. Remember though that those individuals do not have absolute protection against disclosing your identify. There are exceptions and rules covering them as well. They do have more protections than I do.

FAIR ACCESS DISCLAIMER: I will again note that I am always interested in hearing from the other side of this issues, either from ISCD management (on or off the record), or even dissenting CFSI). I have never run into an issue that where wasn’t a different opinion on what constituted ‘the facts’ of the case. Neither side needs to be ‘lying’ they just see things from a different perspective; perspectives do color facts, every time.

The notice does not specifically discuss whether or not provisions are being made for public presentations during the open portion of the meeting. Such presentations, if allowed would typically need to be registered in advance with HSAC Staff at hsac@dhs.gov or 202-447-3135. Written comments may be submitted via the Federal eRulemaking Portal (www.regulatins.gov; Docket Number DHS 2011-0002).

Last Thursday, at a public meeting in Institute, WV, the Chemical Safety Board approved their final report into the investigation of the deadly explosion at the nearby Bayer CropScience facility in 2008. According to a CSB press release, the “CSB found multiple deficiencies during a lengthy startup process that resulted in a runaway chemical reaction inside a residue treater pressure vessel”.

I had earlier reported that there might be a discussion of the National Academy of Sciences study commissioned to review the consideration of inherently safer technology for the Bayer CropScience facility. That discussion did not happen. That may have been because of a recent report by Bayer that they would stop manufacture, storage and use of methyl iscocyanate (MIC) at the West Virginia facility within the next 18 months. There has been no public discussion of how that announcement will affect the conduct of the NAS investigation.

One of the specific recommendations made by the Board would end up having a major effect on the chemical process industry if it were widely adopted. CSB recommended the establishment of a state level “Hazardous Chemical Release Prevention Program” modeled on the program in Contra Costa County in California. Noting that OSHA and EPA have inadequate resources to enforce their safety programs, CSB Chairperson Dr. Moure-Eraso is quoted as saying that “local jurisdictions can put together highly effective and targeted inspection and enforcement programs, funded by levies on the plants themselves”.

Industry has long resisted such efforts at local regulation of chemical safety and security. They note that such patchwork regulations make it difficult to manage multiple facilities. I think that the problem with such regulations is that they make the protection of industrial neighbors dependent on the expertise and gumption of local governments. Adequate enforcement of existing OSHA and EPA regulations would be a much better solution because it should provide protection for people around all chemical facilities, not just a few select areas.

Sunday, January 23, 2011

Last weekend I talked about some personnel issues at ISCD. At the time I did not have any specific information about the cause of the problems, just the information about the removal of the Acting Director and Acting Assistant Director and the upcoming union vote for the Chemical Facility Security Inspectors (CFSI).

Since then I have received some information from an anonymous source I am going to call Insider. I have not been able to verify this information (I am a blogger not an investigative reporter), but from the tone and wordings of the communication, Insider does appear to be what he (generic pronoun use) claims, a person with close personal contacts in the CFSI community.

The following discussion is based upon this anonymous, unverified information. I am perfectly willing to discuss a similar response from ISCD management or what ever labor organization is working on the issue.

Locality Pay

According to Insider the current labor dispute revolve around the handling of two separate pay issues for Locality Pay and Authorized Uncontrollable Overtime (AUO). To understand the first issue the reader may need to understand how the CFATS inspection force is organized.

There are 10 regional offices that are supposed to be established (I am not sure if they have all been set up and staffed, delays in Congressional funding have made this process difficult for ISCD).

Because of the wide disparity of the cost of living within this country, the Federal government provides a base level of pay for their employees and then adds a ‘locality pay’ to compensate the employees for the high cost of living in many cities. Typically that pay is limited to a 50-mile radius around the center of that area.

With CFSI spending most of their time on the road doing inspections within their region, one can understand why an inspector might not feel the need to relocate their family to within a 50 mile radius of their duty station or home office. This is particularly true since the original intent was for the CFSI not to have formal office space at the regional office; their offices would for all intents would be their laptop computers.

According to Insider:

“At the time of job postings the PD [Personnel Department] never stated that you had to work inside the locality area. For new hires this meant a drop in pay immediately from what they agreed to and promised by NPPD. Some Inspectors would of never left their past jobs with this bait and switch method.”

Now I can understand how the detailed explanation of how ‘locality pay’ would be handled might not come up in the initial pre-employment interview process. The people doing these interviews would have been people that had worked in the Federal government for a while and the administrative aspects of the Federal pay system would be second nature to them. One would like to think, however, that as the pre-employment process moved along that pay issues would have been better explained.

Insider goes on to explain:

“For the veteran Inspector cadre, those living outside the 50 mile area of a duty station, have been receiving the locality pay for their respected duty station. Some Inspectors have received paperwork that they must now repay the Government upwards to $30k since these new locality pay rules have come to fruition.”

Being required to re-pay that amount of money does not sound like just a failure to explain the details of the Federal pay system. It sounds like there was a change in the way the pay system was administered. In fact, Insider explains that CFSI “are being left on the hook to pay back wages that upper level administrators signed off on long ago”.

Now I can fully understand changes being made to the way the compensation program was being managed; the Federal government, like most governments and private sector companies, is trying to reduce their costs. But, making changes and then making them retroactive, seems to be a bit much. What I suspect happened, is that ISCD stood up this entirely new personnel program and didn’t fully understand the intricacies of the Federal payroll system. Then the IG or some other oversight group checked on the program and found problems with how this was being administered. Base upon this type review someone declared that some of the CFSI had been overpaid.

Now I have seen similar things happen in the military. I have personally been overpaid when I received an advance pay and was then paid my full pay for the same period in the next paycheck. This was, of course, back before the full automation of the pay system and I was fully warned that it would happen and that Uncle Sam would take back the excess money at some future date. The difference, of course, was that pay problem was fully understood and the people making the ‘advance pay’ were completely up front in about what could be expected to happen.

What seems to have happened here is that ISCD management made a mistake in the way they set up their compensation program. When that mistake was identified and corrected the CFSI were left to pay for the mistake of management. Now management makes mistakes from time to time; it is the nature of the beast. To leave the work force holding the bag for those mistakes, however, is always inexcusable. Unfortunately, bureaucracies seldom have the flexibility to do otherwise.

If what I think happened was the cause of this problem, I’m afraid that only Congress will be able to fix the issue. It would be nice to think that the people who caused the problem at ISCD would lobby Congress to fix the problem, but again, political realities would suggest that that can’t happen. The political controllers would be loath to allow the professionals to call such a problem to the attention of Congress; it would reflect poorly on their control of reigns of government.

Authorized Uncontrollable Overtime

The accountability issue with locality pay is also affecting another portion of the compensation program for CFSI. CFSI hold salaried positions; they receive a base salary figured on a 40-hour workweek. It is fully recognized, however, that because of the inherent nature of their job, that they will be working substantially more than 40 hours on a fairly routine basis and that it would be unreasonable to have that overtime work specifically approved in advance.

So they are compensated for that overtime under a program known as ‘Authorized Uncontrollable Overtime’ (AUO). To keep that system under some sort of control they are expected to account for the amount of time that they spend at work, over and above the standard 40 hours. From a budgeting perspective, management typically sets forth some general guidance about how much AUO is generally going to be expected. That expectation gets passed down to the workers so that they know how much work will be okayed without prior approval.

To keep the AUO system from being abused, employees must provide justification for the amount of overtime that they perform. In jobs like those performed by the CFSI, this is a difficult process at best. Since they don’t maintain regular office hours and can’t forecast how much time they will be putting in, it is very difficult to keep track of this on an on-going basis.

So what typically happens is that people in these types of positions use guidance that they receive from management on expected overtime as the figure that they report for their overtime. That usually understates the amount of time they are actually putting in, but the approval process for time over that is typically viewed as not worth the effort to get the actual time approved. Management stays happy because they remain within budget (and in fact look good because they are able to forecast overtime so well) and the employees receive compensation for most of their hard work.

Two potential problems arise out of this type system. First, overtime, employees begin to see the routine overtime compensation as part of their regular pay and base their personal budgets on that higher figure. If something happens to reduce the routine overtime, they may be hurt financially when that pay is cut. No one sees the time CFSI spend on the CFATS implementation inspections being cut anytime soon. They are so far behind in the inspection process (due to slow funding for new inspectors, the archaic hiring process and underestimation of the time to complete the inspection process) that they are going to be extremely over worked for the foreseeable future.

The second problem is caused by the fact that the bureaucracy requires that the overtime pay is justified each pay period. Since it takes a severely anal retentive personality to faithfully keep the detailed records necessary to accurately account for the additional time spent on this type of job, and no one is going to be actually paid for the hours spent in excess of the amount ‘authorized’ by management, this justification is typically more of an exercise in creative writing than in time management.

Generally this works out okay. The employees receive a consistent level of pay that almost compensates for the long work hours and excessive time on the road and management looks good for their ability to forecast and control their departmental expenses. As long as both sides trust each other, this sort of thing generally works really well.

Unfortunately, that trust has now evaporated in ISCD. The CFSI, based upon what they have seen happen with locality pay, are now worried about their justifications of AUO. They are very afraid that they may be asked to repay all or parts of the AUO that they have received because of potentially inadequate records to back up the justifications that they have filed to date. The justifications provided were acceptable to management when submitted, but the CFSI can no longer feel that management will stand behind their earlier judgments’.

Inevitably what is going to happen is that the CFSI will start to get more attentive to their record keeping about the amount of time that they spend on the job. That will just as inevitably detract from the time spent on actually doing their job. Since they can no longer trust management to back them up on these sorts of things, when they reach the time limits set by management in the AUO guidance, they will stop work. One just typically cannot expect people to put in too much free work for a management team that is not trusted.

Problem Resolution

It seems to me that for the CFATS program to be an effective program there needs to be a minimum level of understanding and trust between the CFSI and the folks running ISCD. That does not currently seem to be the case. This issue needs to be resolved and I am afraid that unionizing the CFSI will do little to resolve that underlying trust and understanding problem. If the information provided by Insider is correct, I understand why people would look towards forming a Union to protect them from what appear to be unfair practices. I just don’t think that unionization will resolve the larger, underlying issues.

Congress, exercising their oversight responsibility, needs to step up and look into this problem immediately. Since they control the purse strings, they are the only ones that can now resolve the pay problem associated with the collection of back pay on the locality pay issue and provide the guidance going forward to resolve the issue. If that issue is not resolved promptly, I’m afraid that the AUO issue will further slow the implementation/inspection process. That would destroy the creditability of the CFATS program.

Rep. King and/or Sen. Lieberman need to tell DHS to stop the collection of back locality pay pending further Congressional investigation. And that needs to happen immediately. Otherwise, we are going to end up with a security program that operates in the same way that OSHA and EPA enforce chemical safety programs, effective security enforcement action will only be taken at facilities that have had a serious security incident. We can’t afford another such program.

The new update notes that the vulnerability can be exploited using a non-compliant Modbus/TCP Slave application, but would not likely allow the attacker to execute arbitrary code. It also explains the some of the limits of the vulnerability.

ICS-CERT has not seen a publicly available exploit of this vulnerability but expects that an attacker with an ‘intermediate skill level’ would be able to create the necessary exploit code.

The new version of the advisory does not provide any changes to the suggested mitigation actions recommended to protect a system.

There is an interesting article by Patrick Thibodeau over at ComputerWorld.com that deals with an important physical security problem the possibility of people bypassing tamper evident seals. The article describes a study reported earlier this week at the Black Hat security conference. That report was presented by Jamie Schwettmann and Eric Michaud of i11 Industries.

According to the article the study authors “went through a long list of tamper evident devices at the conference here and explained, step-by-step, how each seal can be circumvented with common items, such as various solvents, hypodermic needles, razors, blow driers, and in more difficult cases with the help of tools such as drills.”

Seals and Chemical Security

Seals have been applied to chemical shipping containers for years to allow a customer to feel comfortable that the materials within the container have not been tampered with enroute. Many companies put these seals on as part of their quality assurance program.

In recent years the emphasis on the use of seals has slowly started to shift to their being a security measure as well as a quality assurance measure. Chemical facilities do not want security personnel opening tank trucks (or railcars or IBCs) at the front gate to ensure that they contain the appropriate chemicals and not weapons being used to attack the facility. So facilities rely on checking seals on the openings to the tank to verify that what their supplier put into the truck is still what is in the truck.

The study points out the basic flaw in this security measure; it is relatively easy to open most of these seals and then put them back together in such a way that a casual observer will not notice the tampering. Unfortunately, most security personnel have gotten so used to checking these devices that that is all the attention that they are receiving; a casual inspection.

Problem Solution

This is a common security problem. You train people to the necessary standards and require that they conform to those standards. But, any check like this that is made on a routine basis without detecting a problem will, because of human nature, be less closely checked as time goes on.

There are a couple of potential solutions to this type of problem. The classic solution is to provide close over-sight of people performing the checks and to take ‘appropriate personnel actions’ when they are not done properly. This certainly works, but it is management intensive (though remotely operated video systems may make that less of a problem) and breeds a certain amount of ‘distance’ or tension between security personnel and their managers.

A more creative way of keeping the checkers more attentive is to get them involved in determining ways that the devices can be bypassed. Simply collect discarded seals when the tank is opened and give them to the security personnel. Give them the assignment of figuring out how to put them back together while avoiding casual detection. Use the employee-doctored devices as periodic challenge tests for the security team.

Damaged Seals

Back in the days when these seals were there strictly for quality purposes the procedure for dealing with a damaged or doctored seal were fairly straight forward. Someone drew a sample from the tank and appropriate tests were done to insure that the material within still met quality standards. In some cases, where quality could not be adequately confirmed on-site and it really counted (say pharmaceutical manufacturing), a truck with a damaged seal was returned without unloading.

Today when it is more likely that security is the main reason for requiring the application of seals to incoming shipment containers, or at least an important co-issue, those earlier solutions have to be reviewed carefully. If the contents have been replaced with explosives to form a vehicle borne IED (VBIED), the dome-lid, where such samples might normally be taken, could very easily be equipped with anti-handling devices.

Additionally, one needs to consider where the trailer is going to be held while the sampling and testing process is undertaken. Leaving it blocking the delivery gate is clearly unacceptable from an operational point of view. Allowing it to enter the security perimeter presents an entirely different set of problems. And conducting sampling of hazardous materials in areas open to the public is liable to give corporate legal folks apoplexy. Probably the best solution is to have a designated area under facility control but outside of the inner security perimeter in which to park vehicles that need additional clearance testing.

It’s just one more thing that the high-risk chemical facility security manager needs to worry about.

He wrote yesterday in a post on the recent National Maritime Security Advisory Committee (NMSAC)[format edited for readability]:

Fresh from his star turn on TWIC issues yesterday, Commander David Murk returned to brief the Committee on efforts to harmonize requirements of the Chemical Facility Anti-Terrorism Standards (CFATS) and the Maritime Transportation Security Act (MTSA) and its regulations. Currently, all facilities regulated under MTSA are exempt from CFATS. All other facilities that meet thresholds for “chemicals of interest” are subject to CFATS, resulting in similar facilities dealing with the same chemicals being regulated differently.

A working group is examining the overlaps and differences. The group’s charge includes examining:

(1) Whether there are differences significant enough to cause an undue risk at facilities covered by the lower requirements or to create an unbalanced playing field from a business perspective;
(2) whether there are security implications in having two different approaches to risk assessment;
(3) how can intelligence and regulatory information sharing be improved; and
(4) where is there a need for joint direction.

Thus far, the group has produced an Action Memo with a regulatory comparison identifying gaps and differences and a Recommendation to consider creation of regional structures for CFATS similar to MTSA’s Area Maritime Security Committees. At present, there have been no decisions on regulatory changes, merely identification of items that need to be looked at. The goal is to have similar facilities not treated differently in terms of either risk or protection.

As what the end result of the working group’s labors would be, CDR Murk replied that it would depend on this issue—either a legislative or a regulatory change might be necessary. One issue that had come up was the CFATS “Top Screen” requirement, a sort of on-line questionnaire completed by chemical facilities. These facilities are then classified into tiers, on the basis their Top Screen input, according to which chemicals they deal with and in what amounts. The Department of Homeland Security (DHS) wants a centralized data base on chemicals.

Agreement has been reached within DHS to go forward with a rulemaking to require applicable MTSA-regulated facilities to submit Top Screen inputs. The MTSA regulations would use the list identifying affected facilities that is in a CFATS appendix. MTSA-regulated facilities classified as CFATS Tier IV (not required to have a CFATS security plan) would still be required to have a MTSA Facility Security Plan.

A NMSAC member expressed concern that harmonization with CFATS would detract from MTSA’s maritime focus—MTSA met the international requirement to comply with the ISPS Code, but CFATS came from a different impetus. CDR Murk responded that the Coast Guard had opposed legislation that would exempt maritime CFATS facilities from regulation under MTSA.

My Analysis

John’s analysis of the harmonization issue is spot on with a couple of minor discrepancies on the CFATS information. I’ll address those to get them out of the way.

• Finally, Tier 4 CFATS facilities are required to have a site security plan, but they may submit the information on that plan using an alternative format rather than answering all of the questions in the SSP tool in CSAT; an administrative rather than security difference.

I find it interesting that there is a plan to move forward with requiring MTSA covered chemical facilities to submit Top Screens. To make any sense the Top Screen rankings into tiers (actually the CFATS uses it to make just a preliminary tier ranking, to be later refined by a review of the security vulnerability assessment reported to ISCD) would have to result in increased security measures being required for higher rated facilities.

I am kind of concerned with John’s comment that: “The Department of Homeland Security (DHS) wants a centralized data base on chemicals.” If that was the comment that the Coast Guard briefer made, it would be expected to concern many manufacturers. If that is the sole justification for requiring the Top Screen submissions there will be a major push back to that regulation.

I understand the Department’s interest in knowing where chemicals of special security significance reside, but that information is generally available from other government agencies. While the Top Screen is the least burdensome component of the CSAT tools, it is still time consuming and requires resources to collect the required information. The certification of the information also places an additional legal liability on the organization submitting the Top Screen.

This also brings up another interesting question. Over 30,000 facilities completed Top Screen submissions in the initial run of Top Screens and a significant number of facilities have been removed from the CFATS program because of subsequent Top Screen submissions. With only about 5,000 facilities remaining in the CFATS program, what is DHS-ISCD doing with the Top Screen information provided by the ‘unregulated’ facilities? Are they maintaining a database of where the 300+ chemicals of interest can be found to aid in subsequent terrorist investigations (a DB which one hopes will never need to be used)?

I don’t know the answer and I’m not even sure that I know which way that I would want the question to be answered. While I can certainly make a number of arguments justifying the maintenance of such a COI database, I don’t think that was what Congress had in mind when they wrote §550. This might be an interesting oversight question for Congress in this session.

The House is still in the process of getting organized, but most of the committee assignments have now been made for the committees that will have the most effect on chemical security and safety legislation. Here is a list of the committee members, as of yesterday, for those committees that I think are most important in this area.

House Homeland Security Committee

Chair: Mr. King of New York; Ranking Member: Mr. Thompson of Mississippi

Everyone that has an interest in chemical security matters should take a good look at the lists above to see if their congresscritter is on one or more of the lists. If so, it would certainly be worth the effort to sit down and write a brief letter or email to them letting them know about your interest in the area. You can find their addresses at: http://clerk.house.gov/. Then as issues come up during the next two years that are of interest to you, keep them up-to-date on your concerns.

There is no way that you are going to make them bend to your personal will, but you might be surprised as to how much attention they pay to your opinion. And your communication could always be the last piece of evidence that tips the scale for a fence sitter.

On page 4 of that document under the ‘Environment and Economy Agenda’ the CFATS regulations are discussed. The document explains:

“Created in the Fiscal Year 2007 appropriations, CFATS sunsets in March 2011. Appropriations Acts have carried one year extensions for the past two years. Even though the program is not fully implemented, some in Congress and the Obama Administration support efforts to dramatically expand the CFATS program into non-security areas. We should highlight how the program has not yet been fully implemented and that expansion beyond security against terrorism could kill domestic investments and jobs. Any program extension should preserve the original focus on security against terrorism.”

The same section also addresses security issues at water facilities:

“As for the Bioterrorism Act, Title IV, enacted in 2002, we should only require water utilities to update and submit their vulnerability assessments and site security plans. Providing EPA regulatory authority could lead to a program that deviates greatly from the security mission authorized by Congress.”

Both of these policy statements are not much of a surprise given the Republican control of the House, and they appear to be fairly closely aligned with the opinions that Rep. King (R, NY), Chairman of the House Homeland Security Committee, has expressed on many occasions. I would expect that some sort of reauthorization legislation will pass relatively easy in the House as long as it doesn’t get lost behind other higher priority issues.

The question, of course, will be similar to last session, can a House passed bill make it through the Senate. The dynamic will be different this year in that there with the number of Republicans and Democrats very close. Controversial legislation could be stymied by a failure of either side to garner enough votes to close debate. Further complicating the issue is the debate on filibuster rules that was interrupted by the Senates long delay in coming back into session (they are not scheduled to return until next Tuesday).

Late yesterday afternoon John C.W. Bennett provided some corrective information to a blog posting that I had made last week. I had noted that the OMB reported having received the TWIC Reader NPRM for review. John informs us that a presenter at yesterday’s National Maritime Security Advisory Committee (NMSAC) reported that the OMB is actually reviewing is “a policy document providing interim guidance for voluntary use of TWIC readers in advance of the Final Rule”.

John also noted that the briefer explained that the interim document “could be on the streets in four months” (Note: John’s blog explains that that includes a 30-day OMB review and a public comment period). That makes more sense in light of the reported November time frame for the NPRM submission listed in the Unified Regulatory Agenda published last month. It’s unfortunate that MTSA facilities will have to rely on this interim guidance for TWIC Reader deployment information, but that would certainly be better than waiting blindly for at least two years for a final rule to become effective.

John also points us at his blog posting providing more details about yesterday’s NMSAC meeting.

Since I wasn’t able to attend the meeting I don’t know how much attention was paid to my submitted comments. But, since I submitted my comments early I would like to think that the study committee had a chance to review them prior to the development of their presentation that was made at yesterday’s meeting. Again, we only have a copy of their slide presentation, which lacks the additional information included in the oral presentation accompanying the slides, but there are some interesting parallels between their presentation and my comments.

The study proposal presented at the meeting expects for the group to take a year to accomplish this study. It will primarily focus on ‘leading executives and subject matter experts (SME) in business and government’ as the primary information sources. Among other things it will specifically “identify initial set of issues related to private sector participation and interaction” (slide 9) with existing fusion centers and identify “initial set of information sharing challenges, gaps, and best practices”.

The study group also expects to do some case studies using five of NIPP critical sectors;

The new information on the CSETAT Program is the listing of the currently scheduled training dates for 2011. Those locations and dates [NOTE: ‘TBD’ will be announced later] for those training sessions are:

Tuesday, January 18, 2011

Yesterday the DHS Industrial Control System Cyber Emergency Response Team issued two advisories for different industrial control systems. The first updated a previously issued alert for the WellinTech KingView system. The second outlined a vulnerability in the Sielco Sistemi Winlog.

KingView Update

Last week I reported on the ICS-CERT Alert that had been issued on a reported heap overflow vulnerability in the WellinTech KingView system. At that time ICS-CERT didn’t have much more information than a published report of the vulnerability with exploit code. Since then ThreatPost.com reported on the communications problems that resulted in the lack of response to the security researcher’s reports to CN-CERT that ultimately led to the publication of the exploit code.

Yesterday’s advisory provided more information on the details of the vulnerability along with the mitigation recommendations that include a patch provided by WellinTech. The vulnerability could allow an attacker to crash the system via a heap overflow in the HistorySrv process. Even with the publicly available exploit code, ICS-CERT estimates that it would take an attacker with at least an intermediate skill level to exploit this vulnerability.

DHS ICS-CERT recommends the following mitigation measures be considered after conducting an impact assessment on the system:

• Minimize network exposure for all control system devices. Control system devices should not directly face the Internet.1

• Control system networks and devices should be located behind firewalls, and be isolated from the business network. If remote access is required, secure methods such as Virtual Private Networks (VPNs) should be used.

Sielco Sistemi Winlog Vulnerability

The second advisory issued by ICS-CERT deals with a newly reported vulnerability in the WinLog Lite and WinLog Pro HMI software produced by Sielco Sistemi. The vulnerability is found in all versions through 2.07.00. The vulnerability could allow a remote attacker to initiate a stack overflow, potentially resulting in the attacker being able to remotely execute arbitrary code. Even though exploit code is publicly available, ICS-CERT estimates that it would take a skill high-level to exploit this vulnerability.

DHS ICS-CERT recommends the following mitigation measures be considered after conducting an impact assessment on the system:

• Minimize network exposure for all control system devices. Critical devices should not directly face the Internet. Control system networks and remote devices should be located behind firewalls and be isolated from the business network. If remote access is required, secure methods such as Virtual Private Networks (VPNs) should be used.

Monday, January 17, 2011

Readers of this blog will be well familiar with the name of Ralph Langner who has done so much work on decoding the targeting tools of the Stuxnet worm. I’ve written about his blog posts on a number of occasions. Well, Ralph has finally combined his descriptions of the various parts of that worm into a single article available at ControlGlobal.com. While this article was written for control systems engineers (and thus contains a lot of ‘code injection’, data block names, and other technical information) in my opinion the most important part of the article is the less technical discussion found in the last section.

Once again Ralph makes a very strong case for his warning that the Stuxnet codes can be re-used by skilled attackers. This could allow them to craft new attack codes that could be used to attack completely different process systems. He explains that the most effective attacks would still require similar levels of target process knowledge, but that generic attacks could be executed with next to no process information. I have discussed both of these possibilities in earlier blogs, but Ralph’s technical background and detailed Stuxnet knowledge lends much more credence to this prediction.

Ralph provides a very brief description of what he thinks it will take to defend against these Stuxnet-like attacks. He briefly dismisses ‘defense-in-depth’ because it doesn’t address the issue of controller compromise. I think this dismissal may be a little overdone because these techniques may make the compromise of controllers more difficult. But Ralph is correct, current cyber security measures do not specifically prevent controller level problems.

Ralph does, however, provide a brief description of a more effective preventive measure:

“The most effective prevention of controller hijacking would be digitally signed controller code and configuration. With today's technology, this can be implemented easily [emphasis added]. It can be expected that controller vendors will see this as a major business opportunity because the outlook to replace millions of controllers before end-of-lifetime with upgraded product versions means a multi-million dollar market.”

Since English is a second language for Ralph (though he uses it better than many native speaking bloggers) it is hard to tell if the use of the term ‘implemented easily’ is sarcasm or just grossly understating the difficulties involved. He does mention the cost of the controllers, but completely ignores the process upsets that whole sale replacement of controllers would cause.

I do love the final sentence of the article, though. Ralph writes:

“Less efficient, but much cheaper solutions have just become available that detect and report configuration and code changes of network-attached S7 controllers.”

Readers of this blog will remember that Ralph’s company is the one that is selling this ‘solution’. Ralph has been clear that it does not prevent someone from modifying controller programming, but it does alert the user to any such change, hopefully allowing the controller to be shut down before there is any serious damage done to the process. Of course, in many chemical processes that shutdown may cause serious repercussions.

Recommendation

In any case, anyone that is responsible for security of control systems ought to read this article. I also think that congressional staffers working on cyber security legislation also need to take note of what Ralph is talking about. We can no longer afford to ignore control system cyber security when we discuss protecting computer systems.

I’m an information junkie, something that my long time readers will probably have guessed by the breadth of the topics about which I write. One of the best things about writing a blog is that I get to share all of the tidbits of information that I collect. It really gets good, however, when my blog causes more information to come my way. Typically that comes in the form of comments, emails and phone calls; all of which are good. Every once in a while it comes in the form of another blogger making a post to explain in more detail a fact that I shared, but didn’t fully understand.

That happened last week when Eric Byres at TofinoSecurity.com did a post explaining the fixed configuration firewall concept behind the new Honeywell Modbus Read-Only Firewall, a product based upon some Tofino Security technology. And Eric very generously credits one of my blog posts as the inspiration for that post. So it seems that we have an inter-blog conversation going; producing even more information. An info junkie's life just can’t get any better.

What is a Firewall?

Eric provides a good description in his blog about how a fixed configuration firewall works and in the process schooled me, at least, in the general operation of a firewall. I’ve understood what a firewall is designed to accomplish, but never quite bothered to find out how it works. Now Eric’s discussion will not allow me to actually configure a firewall (Eric is a good explainer, but it is, after all only a single blog post), but I do have a better understanding of what’s going on.

Now, I’ve been exposed to computers for closing in on 50 years now (I helped write my first computer program in 1964), but I am not a true computer geek, I’m more of a technically knowledgeable user. I can talk to geeks without them laughing at me and I always respectfully listen when they try to explain something to me; it helps make me a better user.

I realize that most of my readers, however, have probably never seen the inside of a computer and would have difficulty recognizing a line of code if they saw it. How to explain the operation of a firewall to them? I guess the best way is to go back to the namesake of the computer firewall, the fire safety firewall.

In fire safety a firewall is a non-flammable barrier protecting stuff on one side from a fire on another. First you have to understand that ‘non-flammable’ is not an absolute term. If the temperature is high enough, then just about anything will burn. So the designer of a firewall makes an educated guess about the maximum temperature of the potential fire on the other side of the barrier and selects a barrier composition to match that temperature.

Now firewalls do not provide absolute protection against the spread of fires, generally they just delay the spread of a fire until other fire response efforts can deal with the situation. Given that, a firewall is rated in the number of minutes that it will hold back a fire. You pay more for more minutes of protection. And of course you need to have a plan for detecting the fire and mobilizing your other fire protection measures in a timely manner.

The best firewalls have no openings in them. Unfortunately, in the real world a wall with no openings is seldom very useful, but any opening is going to provide a route for fire to get through the firewall. So fire safety engineers have developed over the years a number of ways of closing off these openings in the event of a fire. For people sized openings and larger, we call these devices fire doors.

The best of these fire doors normally remain closed and are only opened when something must move through the wall. In a high traffic area this is frequently a pain in the butt and eventually someone figures out that it is easier to just prop the door open. Then you no longer have a fire door, but instead have an unprotected hole in the firewall. Realizing that you can’t engineer human nature, fire safety people have come up with fire doors for high traffic openings that are normally open, but close automatically in the event of a fire. A flash fire or explosion will get through before they can close, but they are better than a normally closed fire door that has been wedged open for the sake of convenience.

A computer firewall provides a similar type protection to a computer system. Instead of protecting against the spread of fire, it prevents the unapproved movement of information. They help to prevent intruders accessing the system or the unauthorized sending of information out of the system. The best protection allows no flow of information (no holes in the firewall or ‘air gapped’ in computer-speak), but that is seldom practical. The next best solution is to provide a communication node through the firewall that is normally closed, but can be opened when necessary with appropriate restrictions on who/what can do the opening.. That is followed by a normally open channel that automatically closes when a threat is detected. The least amount of protection is provided by a normally open port that has no threat detection capability protecting it. Actually, I guess the least protection is provided by the port that no one knows is open. In all cases, restricting what information can flow through the opening increases the level of protection.

To be most effective, any firewall needs to be protected by detection systems that tell someone when an intruder attempts to gain access or when someone attempts to transmit unauthorized information out of the system. And there must be a response capability that is triggered by the detection system.

So, now that you know what a firewall does, go read Eric’s explanation about the pitfalls of configuring firewalls and the benefit of fixed configuration firewalls.

Saturday, January 15, 2011

For the last couple of months or so I have been trying to get an official statement from the Infrastructure Security Compliance Division about the status of the memorandum of understanding between the Coast Guard and ISCD concerning the treatment of security at MTSA covered chemical facilities. It’s been kind of a low priority thing; send off the occasional email, make the occasional telephone call. Unfortunately, I have been unable to get an official response; not a ‘no comment’, just no response. No return emails, no phone calls answered. Just an ISCD information black hole.

So this week I started to do some unofficial checking, checking with some people that can’t give me an official answer. Even there, I’ve been having problems getting information, but apparently there are some internal problems at ISCD, problems that are causing people to tip-toe around and only talk in whispers and to be careful about who they talk to.

Management Problems

Let’s start at the Top. Ever since the Obama administration came to town, ISCD has been run by acting folks; an acting director and acting assistant director. This was because the Director, Sue Armstrong, had been temporarily pushed upstairs to fill another acting position. Now this is not unusual with a change in Administration. The political appointees at the top leave with the old administration and the career folks step up into acting positions to fill the void. Then they return to their old jobs when the new political appointees step in.

It has been two years now and the political appointment at the top of the chain that leads to ISCD has yet to be made. Everyone knows that Obama has had problems getting appointments confirmed in the Senate. There have been additional problems in finding appointees willing or able to take on these positions without running afoul of the internal administration rules on lobbyists. I don’t know what the cause is here, but there is too much acting going on in NPPD this late in the game.

This delay in making political appointments at DHS causes problems. Political decisions are not being made about policy, they are either being put on hold, or being kicked upstairs for resolution. Even worse, somewhere down the line, the stepping up process has created an empty management position and routine decisions there are being delayed or just not happening.

To make matters worse, I’m now hearing that the acting director and the acting deputy director were relieved last month. I’ve heard no details on why or exactly when, just that they are gone. Instead of pulling someone up from inside ISCD (and to be fair it is not a real large group to begin with) the Administration brought in two other career people from outside of NPPD to fill the acting positions.

Being from outside of NPPD, one would assume that they have very limited, if any knowledge, of the CFATS program, but I’m also hearing that they don’t even have a background in security or chemistry. That means that whatever their skills and experience they had in their old jobs, here they are nothing but bureaucrats.

Hopefully this problem will be resolved when Sue Armstrong is able to step back down into her role as Director. She has the experience with CFATS and the two new people can get brought up to speed under her tutelage.

Labor Problems

Now, as if this management issue were not causing enough problems, it seems like there are additional problems down in the ranks. I’m hearing that the chemical facility inspectors are going to be voting on unionization in a couple of weeks. Whatever your position on unions in general, a union vote in today’s environment is a clear sign of a basic disconnect between labor and management.

I don’t know what the issues are here (and I would love to give the union folks a chance to air their grievances, they at least should be able to talk publicly about the issues; management can’t, not with a vote scheduled), but I can imagine that the daily life of a CFI is going to be rough, just because of the nature of the job. They have to spend most of their life on the road and the atmosphere on-site is going to vary from strained to confrontational. That makes for a tough work environment.

Add to that the political dissatisfaction with the pace of the inspection process, and I’m sure that there are enormous pressures put on these folks. Finally, they are still having to make-up the inspection process as they go as no one has done this kind of thing before. Complicating that further, each new facility that they go to is different than the ones before. That adds a whole new set of intellectual pressures, particularly with people that care about the mission.

That kind of work environment demands a management team that is involved and cares about the worker bees. It would help if they were experienced in the field and understood the work environment, but that is not possible here. There is no one with the experience or background. So it’s going to take a management team with an unusual amount of empathy and understanding to prevent the discord that leads to a unionization vote.

This brings to mind an interesting question. Did Deziel and Klessman get canned because their bosses felt they were the cause of the union vote? Or perhaps it was a move to address some of the apparent management issues by bringing in a new management team, one with perhaps more labor-management experience. In any case, if it was in part to deal with this situation, that would explain the current strained relationships in the offices at ISCD.

Problem Resolution

Both of these problems, whether or not they are linked, have got to be having a negative effect on work being done by the folks at ISCD. The CFATS program and the yet to be completed Ammonium Nitrate regulations are just too complex not to be delayed and held-up by these issues. And, they are too important to be delayed any further.

Since these problems appear to be at least partially political in nature, maybe it is time to take a political look at the issues. A congressional hearing or two might bring the problems out into the public focus where it apparently needs to be.

Friday, January 14, 2011

On January 6th, Rep Speier (D, CA) introduced HR 209, the Reducing Information Control Designations Act. The bill was finally made available by the GPO yesterday. The bill is designed to increase intra-governmental information sharing and ensuring that the public has proper access to that information by “by standardizing and limiting the use of information control designations” (§2). These designations are currently placed on unclassified but sensitive information, controlled unclassified information and information marked “For Official Use Only”.

This bill takes Executive Order 13556, Controlled Unclassified Information, promulgated last fall by President Obama, extends its provisions, and provides it with the force of Federal law. It makes each Federal agency responsible for reducing and minimizing its use of “of information control designations on information that is not classified” {§3(a)}

Regulating Information Control Designations

The Archivist of the United States is given the responsibility to establish the regulations governing the use of information control designations. Those regulations are specifically required to address {§3(b)(2)}:

● Standards for utilizing the information control designations in a manner that is narrowly tailored to maximize public access to information.

● The process by which information control designations will be removed.

Procedures for identifying, marking, dating, and tracking information assigned the information control designations, including the identity of officials making the designations.

● Provisions to ensure that the use of information control designations is minimized.

● Provisions to ensure that the presumption shall be that information control designations are not necessary.

● Methods to ensure that compliance with this Act protects national security and privacy rights.

● Procedures for members of the public to be heard regarding improper applications of information control designations.

● A procedure to ensure that all agency policies and standards for utilizing information control designations that are issued pursuant to subsection (c) be provided to the Archivist and that such policies and standards are made publicly available on the Web site of the National Archives and Records Administration.

Additionally the Archivist is expected to ensure that each piece of information marked with information control designations is also marked with information identifying the person applying the information control designation. This is being required to allow the agencies to track who is misusing such designations.

While EO 13556 specifically addresses the matter of information control designations that are established in law or regulation, and excepts those so established from possible elimination, there are no such provisions provided in this bill. Where information control designations are clearly established by law this sets up an interesting conflict, but where the basis of establishment in just by regulatory fiat, this bill (if passed) would clearly take precedent.

Chemical-Terrorism Vulnerability Information (CVI)

CVI is not specifically mentioned in this bill, but it is clearly one of the information control designations covered under its provisions. Since CVI has its underpinnings established in Federal Law, it is one of the designations for which there are potential conflicts. I don’t believe that this bill would allow for the elimination of CVI (though that is an interesting nit to pick for lawyers). Nor do I believe that the major disclosure provisions would be modified, since those are set forth in the §550 CFATS authorizing language. The detailed control and marking provisions would certainly be subject to potential revision.

The provision of this bill that would provide the most obvious problems from a CVI perspective would be the requirements for identifying the person responsible for the initial marking of the document. Since copies of the CFATS submission documents are electronically generated and designated CVI by regulation, it is not clear how copies printed at the regulated facility would receive this marking. One of the facility CSAT authorized personnel would clearly not be the Federal Official making the designation.

There will be similar types of problems with just about all of the information control designations currently in use.

No one who has worked with government agencies would disagree with the underlying premise of this bill; that there is a natural tendency for a number of understandable (and sometimes illegitimate) reasons for such agencies to over-classify information. Passage of this bill would do little to address the underlying problems causing that over-classification. Until that is done, the use of procedures like those outlined in this bill will do little more than muddy the waters and extend the bureaucracy even further.

About Me

I spent 15 years in the US Army as an Infantry NCO. After getting out of the Army I started working in the chemical industry, getting my BSc Chemistry degree while working as a technician. I spent 12 years working as a process chemist in a specialty chemical company. I'm now working as a QA Manager in a specialty chemical manufacturing facility.